Security Engineer

As a member of the security team at GitLab, you will be working towards raising the bar on security. We will achieve that by working and collaborating with cross-functional teams to provide guidance on security best practices.

The Security Team is responsible for leading and implementing the various initiatives that relate to improving GitLab's security.

Responsibilities

Develop security training and guidance to internal development teams

Provide subject matter expertise on architecture, authentication and system security

Security Automation

Security Automation specialists help us scale by creating tools that perform common tasks automatically. Examples include building automated security issue triage and management, proactive vulnerability scanning, and defining security metrics for executive review. Initiatives for this specialty also include:

Assist other security specialty teams in their automation efforts

Assess security tools and integrate tools as needed

Define and own metrics and KPIs to determine the effectiveness of security programs

Define, implement, and monitor security measures to protect GitLab.com and company assets

Security Automation Responsibilities

Build security tooling and automation for internal use that enable the security team to operate at high speed and wide scale

Define and own metrics and key performance indicators to determine the effectiveness of security programs

Define, implement, and monitor security measures to protect GitLab.com and company assets

Security Engineers at GitLab work on securing our product and on internal security. On the product side, this includes the open source version of GitLab, the enterprise editions, and the GitLab.com service. Security Engineers work with peers on cross-functional teams dedicated to areas of the product. They also work together with product managers, developers, and the infrastructure teams to solve common goals.

Security Operations

Security Operations specialists respond to incidents. This is often a fast-paced and stressful environment, where responding quickly and maintaining ones composure is critical. Initiatives for this specialty also include:

Must have strong skills and experience in at least one of the areas below:

Vulnerability management

Incident response

Logging and analytics

Focus on detection and incident response, as well as implement preventative mechanisms

Coordinate company-wide responses to security incidents

Incorporate current security trends, advisories, publications, and academic research

Engineer CND technologies to monitor and analyze e.g.

IDSes

Data collection tools

Conduct vulnerability management

Identify and mitigate complex security vulnerabilities before an attacker exploits them

Compliance

Compliance specialists enables Sales by achieving standard as required by our customers. This includes SaaS, on-prem, and open source instances. Initiatives for this specialty also include:

Develop roadmap based on customer needs e.g.

GDPR

SOC 2

FIPS 140-2

Align other security specialist activities with the compliance roadmap

Develop relationships with key government personnel and policy makers

Assist work of internal and external auditors or advisors as needed

Red Team

Red Team specialists emulate adversary activity to better GitLab’s enterprise and product security. The role requires the ability to think like an advanced persistent threat. Creativity is key. For example, develop attack plans and stealthily execute them to compromise sensitive information on GitLab.com such as private repos, or develop and distribute malware to GitLabbers to demonstrate how the corporate enterprise could be compromised.

Utilize threat modeling concepts and frameworks such as MITRE ATT&CK, STRIDE, etc. to continually identify ways to protect and defend GitLab assets by executing attacks that emulate a range of adversaries

Focus on designing, researching, and executing attacks to challenge the blue team

Strive to identify weaknesses within GitLab products and corporate network and demonstrate the associated risks

Contribute to the GitLab Secure and Defend products

Incorporate current security trends, advisories, publications, and academic research

Report on the Red Team engagements providing an in-depth analysis of the security issues identified

Identify complex security vulnerabilities and exploit them before an external attacker can exploit them

Determine the level of effort required to compromise sensitive data

Publish blog posts and present talks at security conferences

Contribute to GitLab products by testing and proposing new features

Strategic Security

Strategic security specialists focus on holistic changes to policy, architecture, and processes to reduce entire categories of future security issues. Initiatives for this specialty also include:

Cluster related historical security issues and examine them as a larger set

Identify and generate trends associated with each set

Propose actionable changes to GitLab architecture, processes, and infrastructure to mitigate future issues within each set

Generate metrics which measure the effectiveness of each mitigation implemented

Security Research

Security research specialists conduct internal testing against GitLab assets, and against FOSS that is critical to GitLab products and operations. Initiatives for this specialty also include:

Conduct vulnerability research against all GitLab and GitLab.com assets

Research FOSS tools that are integrated with GitLab

Develop proof-of-concept code to be included in security findings

Report findings to tool developers and track mitigation process

Follow responsible disclosure policies for community disclosure

Author blog posts on vulnerabilities discovered

Hiring Process

Candidates for this position can expect the hiring process to follow the order below. Please keep in mind that candidates can be declined from the position at any stage of the process. To learn more about someone who may be conducting the interview, find her/his job title on our team page.

Screening call with Recruiter

Round 1 (Scheduled in Parallel)

60 Minute Interview with Hiring Manager

45 Mintue Senior Peer Interview

Round 2 (Scheduled in Parallel)

60 Minute Interview with Director of Security

60 Minute Interview with VP of Engineering

Successful candidates will subsequently be made an offer via email

As always, the interviews and screening call will be conducted via a video call. See more details about our hiring process on the hiring handbook.

Apply

Please note that if we are actively hiring for a position, you will see it listed on our jobs page, where all of our current openings are advertised. To apply, please click on the name of the role you are interested in, which will take you to our applicant tracking system (ATS), Greenhouse.

Avoid the confidence gap; you do not have to match all the listed requirements exactly to apply. Our hiring process is described in more detail in our hiring handbook.

About GitLab

GitLab Inc. is a company based on the GitLab open-source project. GitLab is a community project to which over 1,000 people worldwide have contributed. We are an active participant in this community, trying to serve its needs and lead by example. We have one vision: everyone can contribute to all digital content, and our mission is to change all creative work from read-only to read-write so that everyone can contribute.

We value results, transparency, sharing, freedom, efficiency, frugality, collaboration, directness, kindness, diversity, boring solutions, and quirkiness. If these values match your personality, work ethic, and personal goals, we encourage you to visit our primer to learn more. Open source is our culture, our way of life, our story, and what makes us truly unique.

Top 10 reasons to work for GitLab:

Work with helpful, kind, motivated, and talented people.

Work remote so you have no commute and are free to travel and move.

Have flexible work hours so you are there for other people and free to plan the day how you like.

Everyone works remote, but you don't feel remote. We don't have a head office, so you're not in a satellite office.

Work on open source software so you can interact with a large community and can show your work.

Work on a product you use every day: we drink our own wine.

Work on a product used by lots of people that care about what you do.

As a company we contribute more than we take, most of our work is released as the open source GitLab CE.

Focused on results, not on long hours, so that you can have a life and don't burn out.

Open internal processes: know what you're getting in to and be assured we're thoughtful and effective.